Media Coverage Archive

What data does your iOS app collect, and why?

Facebook’s latest privacy scandal came courtesy of a personality quiz app whose data was sold to a third party.

What about other apps? What do they collect, and with whom do they share that information? Should a free flashlight app have access to your calendar or contacts?

A new report by a mobile app security firm explores how iOS apps access different types of user information on people’s phones for advertising purposes. San Francisco-based Appthority says the apps are upfront about such data collection, but it also points out that that collection comes with additional risks.

The company looked at more than 2 million apps used in enterprises and found more than 24,000 apps whose data collection for advertising purposes it considers intrusive. Among the top apps it found that explicitly use data for advertising were a zip tool, weather-forecast apps, a flight tracker and news reader Flipboard.

The apps asked for access to iPhone users’ calendars, contacts, locations, camera, Bluetooth, photos and more. Some of the apps asked to access Siri, or to HomeKit so they could get to users’ internet-connected devices.

Although Appthority’s report was written to warn enterprise users of the risks of such data collection, individuals might want to heed the advice the company offers.

“The more apps they run, the more opportunity there is for that data to go somewhere they don’t want it to go,” said Seth Hardy, director of security research at Appthority.

He pointed out that developers don’t have ultimate control over where the data they collect ends up. Many app developers are trying to make money off their apps, and a common way to do that is to offer it for free and hook up with an ad network. Those ad networks have existing app libraries — resources with pre-written code — that developers use.

For example, “an app library could be fine originally, but then it could decide to allow advertisers to create calendar entries,” Hardy said. That might not have been what the app developer intended.

Apple did not return a request for comment about Appthority’s report.

But Morgan Reed, president of ACT | The App Association — which represents more than 5,000 app companies — pointed out that mobile apps don’t have a monopoly on this type of data use. Websites and apps have access to similar tools, he said. Websites can install cookies, access a computer’s camera, location and more.

“You look for a book on a website, it follows you for five weeks online,” he said.

Reed said the Facebook privacy mess — which involves political data-consulting firm Cambridge Analytica accessing the information of as many as 87 million Facebook users without their permission — serves as a good reminder for developers to know their partners.

“I don’t think it’s bad or wrong that apps need to collect info to provide a service and to make their app possible,” he said.

In its report, which was published earlier this month, Appthority recommends avoiding automatically granting permission to apps to access all the data they want: “Be aware that, often, the app can still function without the permission.”

The firm also recommends something that may not go over well with those who are used to getting things for “free”: Try installing a paid, ad-free version of an app instead.